04-05-2015 02:26 PM
Hi,
Can I have an IOS CA Server and a GET VPN Key Server working in the same ISR G2?
Thanks
Emanuel
04-06-2015 02:26 AM
Emanuel,
GETVPN DIG is the place to go.
http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf
Quote
It is also possible to deploy IOS CA and KS on the same device for small-scale GET VPN deployments.
M.
04-06-2015 07:08 AM
Hi Marcin,
Thanks for your help.
What is an small-scale in this case?
My customer has 132 remote sites, he's also intended to deploy 2 routers in each remote site and he has 2 data centers.
This case applies for an small-scale?
Thanks in advance
Emanuel
04-06-2015 09:47 AM
Emanuel,
No I would not necessarily call this a small scale deployment, although we do scale above 4000 GMs.
Please note that, at least as far as I am aware, there is no strict definition that a setup like this would not be supported for larger scale deployment. You may want to shoot your SE an email so they can discuss with business unit it they limit supportability of such setup somewhere.
Technically speaking, what you need to take into consideration:
- CPU utilization during registration (can be offloaded by using external CDP URL).
- Type of rekey.
- Amount of GM re-registrations. (i.e. stability of environment).
- KS COOP or not.
- KS platform of choice.
What you want to make sure is that PKI functions will not affect KS functions. (For example during multi spokes registering and performing CRL checks).
And make sure that KS is not a single point of failure for entire domain - that mean storing PKI data of the router.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide